4.1 changelog discrepency? - *Make sure pf(4) doesn't set 'flags S/SA' on stateless rules.
I have a stateless rule on one of my boxes which was just upgraded from 4.0to 4.1. After the upgrade there were some odd issues that were reported and after looking into them I tracked the source of the issues down to a rule that was set not to keep state in pf.conf, but was actually keeping state with the S/SA flags set. I was able to manipulate the rule to use other flags and seen the change reflected but when reverting back to the stateless rule flags S/SA keep state was the actual behavior which confused/frustrated me. So I looked at the changelog again to take a closer look at what changes were made to PF and came across this line: *Make sure pf(4) doesn't set 'flags S/SA' on stateless rules. which confuses me even more. Anyone seeing the same issues I am?
Re: 4.1 changelog discrepency? - *Make sure pf(4) doesn't set 'flags S/SA' on stateless rules.
On Mon, 14 May 2007, [EMAIL PROTECTED] wrote: I have a stateless rule on one of my boxes which was just upgraded from 4.0to 4.1. After the upgrade there were some odd issues that were reported and after looking into them I tracked the source of the issues down to a rule that was set not to keep state in pf.conf, but was actually keeping state with the S/SA flags set. I was able to manipulate the rule to use other flags and seen the change reflected but when reverting back to the stateless rule flags S/SA keep state was the actual behavior which confused/frustrated me. So I looked at the changelog again to take a closer look at what changes were made to PF and came across this line: *Make sure pf(4) doesn't set 'flags S/SA' on stateless rules. which confuses me even more. Anyone seeing the same issues I am? I don't think you've read http://www.openbsd.org/faq/upgrade41.html before upgrading. -Otto
Re: 4.1 changelog discrepency? - *Make sure pf(4) doesn't set 'flags S/SA' on stateless rules.
On 5/14/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I have a stateless rule on one of my boxes which was just upgraded from 4.0to 4.1. After the upgrade there were some odd issues that were reported and after looking into them I tracked the source of the issues down to a rule that was set not to keep state in pf.conf, but was actually keeping state with the S/SA flags set. I was able to manipulate the rule to use other flags and seen the change reflected but when reverting back to the stateless rule flags S/SA keep state was the actual behavior which confused/frustrated me. So I looked at the changelog again to take a closer look at what changes were made to PF and came across this line: *Make sure pf(4) doesn't set 'flags S/SA' on stateless rules. which confuses me even more. Anyone seeing the same issues I am? From the URL http://www.openbsd.org/faq/upgrade41.html : 1.2. Operational changes - flags S/SA keep state implicit in pf.conf(5) flags S/SA keep state is now the default for pass rules in pf.conf(5), and new no state and flags any options have been added to override these defaults. Current rulesets will continue to load, but the behaviour may be slightly changed as these defaults are more restrictive. Rulesets with stateless filtering (no state) or a requirement to create states on intermediate packets (flags any) should be updated to explicitly request the desired behaviour. -- Rivanor
